2013 Application Security Survey - Draft

Page 1. Introduction

Thank you for taking the time to participate in the second annual CISO Global Application Security Survey (GASS), created by the Open Web Application Security Project (OWASP).

There is no question that application security has become a serious concern in almost every industry. We created this survey to provide you with an opportunity to compare your organization with others on important application security issues and gain insights for making key decisions.

The GASS questionnaire consists of 17 questions concerning application security. They relate to investments and challenges, threats and risks, tools and technology, and governance and control within your organization. Your participation in responding to this questionnaire should require less than 20 minutes of your time.

At the conclusion of the survey, the combined results will be publicly available on the owasp.org website. And no identifiable individual responses collected in this questionnaire will be disclosed in the published survey report.

Page 2. Instructions

All responses in this survey are optional, but for the completeness of the report, please try to respond to all questions in the questionnaire. Please feel free to add additional information and views from colleagues in your organization.

Deadline for submission of the completed survey is 31 January, 2013.

Thank you for your participation!

Page 3. Threats and Risks

1. Given the current threat landscape and economic environment, do you perceive a change in the threats facing your organization? (choose all that apply)
[1-3, increase, same, decrease, don't know)

2. Targeting (Infrastructure vs. Applications):
In the your current threat lanscape, what are the main areas of risk for your organisation in % out of 100% in total:

Infrastructure %

Application %

Other %

3. Compared to 12 months ago, do you see a change in these areas:
[1-3, increase, same, decrease, don't know)

Infrastructure

Application

Other

Page 4. Threats and Risks (continued)

4. From the following list, which are the top five sources of application security risk within your organization?
(Please mark your top area of risk with a "1," your second with a "2," your third with a "3," your fourth with a "4," and your fifth with a "5")

Insecure source code development

Lack of awareness of application security issues within the organization

5. Regarding your top five areas of application security risk (above), which of the following statements best describes your organization's planned investment in these areas in the coming 12 months? (choose one)

Increasing level of investment planned

Decreasing level of investment planned

Relatively constant level of investment planned

Page 5. Investments and Challenges

6. Which of the following statements best describes your organization's annual investment in application security? (choose one)

Increasing as a percentage of total expenditures

Decreasing as a percentage of total expenditures

Relatively constant as a percentage of total expenditures

7. Is your organization spending more on application security in response to a breach or security incident related to a web application? (choose one)
Yes No

Page 6. Investments and Challenges (continued)

8. Please indicate your top five application security priorities for the coming 12 months from the following list. (Specify your top 5 priorities, marking your top priority with a "1," your second priority with a "2," etc.)

14. Which of the following have been implemented or are planned to be implemented by your organization to provide application security capability? (choose all that apply)

Currently implemented Planned within 12-18 months No plans to implement

Web application firewalls

Source code analyzers

Runtime analyzers

Saas Web Application Vulnerability Scanners

Desktop Web Application Vulnerability Scanners

Other

(please specify other below):

Page 11. Tools and Technology (continued)

15. What types of security testing (e.g., penetration testing) will be performed at your organization over the next year? (choose all that apply)

Application layer focused attack and penetration

Application layer focused scanning

Application security code reviews

Application configuration reviews

External network attack and penetration

External network vulnerability scanning

Host-based configuration reviews

Internal network attack and penetration

Internal network vulnerability scanning

Phishing-based social engineering assessments

Phone-based social engineering assessments

Physical-based social engineering assessments

Wireless network attack and penetration

Other (please specify)

Page 12. Governance and Control

16. Does your organization have a documented application security strategy?

Yes

No

17. For how long does this application security strategy plan ahead?
3 months, 6 months, 1 year, 2 years, 3 years, 5 years+

18. Your application security strategy: (choose all that apply)

...has been reviewed and updated within the past 12 months

...is aligned with, or integrated into, the organization's business strategy

...is aligned with, or integrated into, the organization's IT strategy

...outlines our key security activities for the next 12 months

Page 13. Governance and Control (continued)

19. Which of the following statements best describes your organization's application security strategy in regards to the risks associated with the increased use of social networking, personal devices, or cloud computing? (choose one)

Self assessments or other certifications performed by partners, vendors, or contractors

No reviews or assessments performed

Page 17: Wishes and suggestions

And last but not least, all your feedback is very important to us and the community is continuously striving to improve.
If you could wish freely, what kind of OWASP project, guidance or tool would you like to see in the future that could really improve your daily life and operation around web and application security?

Page 18. This Completes the Survey

This completes the survey. We would appreciate just a few personal and professional details so that we can better relate the data to industry and type of organisations. This will also provide you an opportunity to leave your contact information if you would like us to follow up with you regarding the survey results. Once again, all responses are optional.
Yes, I am willing to take a couple more minutes to assist with survey benchmarking.
No, I prefer to exit the survey at this point.

Page 20. Organization Information

Total number of employees: (choose one)
Less than 1,000
1,000 to 9,999
10,000 to 49,999
50,000 to 100,000
More than 100,000

Annual revenue (in USD): (choose one)
Less than $100 million
$100 million to $249 million
$250 million to $499 million
$500 million to $999 million
$1 billion to $9 billion
$10 billion to $24 billion
More than $24 billion
Not applicable